5 Legal Issues Surrounding Electronic Medical Records

Though the technology has been around for roughly 30 years, physicians making the move from paper to electronic medical records may still face some challenges — particularly when it comes to understanding the legal implications of EMRs. In Nov. 2011, the Centers for Disease Control and Prevention reported that the percentage of physicians who've adopted basic EMRs in their practice doubled from 17 to 34 percent from 2008-2011. The percent of primary care physicians using EMRs grew even more, roughly doubling from 20 to 39 percent in that same time frame.

A large portion of EMR implementation revolves around a seamless transition for physicians, nurses and other caregivers, so as to not disrupt workflow or take excessive time out of their day. These systems, however, pose certain legal risks for physicians and healthcare systems that should not go unnoticed.

1. Risk for medical malpractice claims. Although EMRs present significant opportunities for long-term gain, they are quite a thorn in physicians' side at first. Physicians undergoing EMR implementation are at increased risk for medical malpractice during the time of adoption. The risk of error increases during the "implementation schism," or the time between the health system's transition from a familiar system to a new one. While many believe EMRs improve patient safety, their impact on medical malpractice claims remains unclear. A 2010 New England Journal of Medicine report was unable to determine whether EMR-use increases or reduces malpractice liability overall — even after the implementation stage is complete.

Beyond boosting the mere risk of lawsuits, EMRs also affect the course of such litigation by increasing the availability of data and documentation that can either defend or prove a malpractice claim. Documentation in electronic form is often organized, detailed and more legible. Under federal law, EMR metadata — which consists of all electronic transactions such as time stamps of clinical activity and the input of orders — is discoverable in civil trials. This ranges on a state-by-state basis, however, and state law governs most malpractice litigation.

EMRs include more detailed patient information than what is required in traditional paper records, according to a report from the Federal Trade Commission. This can either help or hurt the physician's case against malpractice claims. For instance, the FTC report details a case in which a patient was left quadriplegic after surgery. The suit first targeted the surgeon's competence, but further review of EMR metadata revealed a date stamp that signaled suspicion over whether the anesthesiologist was present for the entire duration of the surgery. The availability of such EMR data in pre-trial discovery can heighten the likelihood of prosecutors finding some evidence of wrongdoing among an entire team of providers.

"There's human tendency to fall to recommendations coming from literature," says Holly Carnell, JD, attorney with McGuireWoods in Chicago. "But if you read the EMR contract, there are various limitations related to the liability of the EMR vendor. If there's an error related to the accuracy of the clinical content or the manner in which the content is presented to the physician, it's difficult for the patient or hospital to hold the vendor accountable. That increases malpractice risk for the physicians," says Ms. Carnell.

EMRs also present the courts and the industry with previously unaddressed issues, for example, what constitutes the "legal medical record?" In the paper world, a medical record is a folder containing a stack of paper a physician uses as part of his or her basis for a clinical decision. However, in the electronic world, a physician is looking at certain screen shots in a particular order. "There's a big debate on what should be produced when a plaintiff requests a copy of a patient’s medical record," says Ms. Carnell. Generally, the "print medical record" function in an EMR generates a report that bears no resemblance to what a physician was looking at when he or she made clinical decisions at the time of treatment.

EMRs are also regularly upgraded and hospitals aren't required to maintain a copy of the old environment, since doing so would be quite costly. Therefore, even if screen shots were produced, if the system had been upgraded between the time of treatment and the time the screen shots were captured, the screen shots may not represent what the physician relied upon to make a clinical decision. While there has not yet been a clear and concise resolution to this issue, it is certainly a matter to keep an eye on as EMRs continue to grow more sophisticated are more commonly adopted by healthcare providers.

2. Likelihood of medical errors. Given the tools available in EMR software, there's a common belief that EMRs can greatly reduce medical errors. But just as a reliance on spell check can leave an email peppered with spelling blunders, too much dependence on an EMR can result in small mistakes that can quickly turn into medical errors.

A 2005 study published in the Journal of the American Medical Association1 found widely-used computerized physician order entry systems facilitated 22 different types of medication error risks. This included pharmacy inventory displays being mistaken for dosage guidelines, inflexible ordering formats that generated wrong orders, and CPOE display screens that prevented a coherent view of the patient's medications. Further, 75 percent of clinical staff surveyed said the encountered these error risks weekly or more often.

The New England Journal of Medicine article previously mentioned also pointed out that physicians' overreliance on a simple EMR function like copy and paste can perpetuate mistakes, leaving a long trail of errors less likely to be corrected. The copy and paste function also presents issues when it comes to authorship if a medical record is investigated for legal purposes. Aside from individual errors, EMRs also present the risk of bugs, viruses or other technological inefficiencies — crises that were never an issue with paper records.

Sometimes all it takes is a click of a mouse. Kenny Lin, MD, a family physician practicing in the Washington, D.C.-area, wrote a column in 2010 for U.S. News & World Report in which he recalled the time he nearly prescribed a patient the wrong medication for an ear infection due to an accidental click of the mouse. "I knew perfectly well that oral antibiotics — not eardrops — were the best choice and knew which one to prescribe, but had accidentally clicked on the wrong choice in my EMR system, leading to the wrong prescription being printed," Dr. Lin wrote in the column. Fortunately, Dr. Lin caught the mishap in time to still provide the patient with the correct prescription.

3. Vulnerability to fraud claims. The Obama administration's robust focus on healthcare fraud has signaled sharper focus on specific avenues for improper claims or billing, including EMRs. The Office of Inspector General's 2012 Work Plan included a focus on fraud vulnerabilities specifically presented by EMRs, making it the first work plan in which the agency explicitly named EMRs as targets for review. It also outlined plans to review Medicare and Medicaid EMR incentive payments to prevent erroneous payments to providers.

Apart from OIG scrutiny, EMRs present another risk to physicians when it comes to violations of the Stark Law and the Antikickback Statute. Under the Medicare Modernization Act of 2003, the Dept. of Health and Human Services developed safe harbors to promote physicians' adoption of HIT. Under these rules, published in 2006, healthcare systems or hospitals can pay as much as 85 percent of an EMR's cost for physicians in private practice. The physicians, in turn, must pay for hardware, installation and technical support. The safe harbor protects an exchange that would otherwise violate Stark Law — which prohibits monetary or non-monetary exchanges for referrals — and the Antikickback Statute. The rule was finalized under the rationale that the benefit of HIT adoption trumps potential risks of fraud.

Still, despite the safe harbor and exception, hospitals and physicians still risk legal repercussions if agreements are not meticulously crafted. "There are very specific requirements for the Stark Law exception and Antikickback Statute Safe Harbor," says Ms. Carnell. "There needs to be a written agreement carefully structured to avoid running afoul of these laws." A financial relationship between an entity offering designated health services and a referring physician will violate the Stark Law if it does not meet all of the requirements of a Stark Law exception. The Stark Law is strict liability and does not factor intent. "Even a so-called technical error, such as not fully executing the agreement, would be a violation," says Ms. Carnell.

The Antikickback Statute, on the other hand, is an intent-based statute with civil and criminal penalties. The government would examine the donation of EMR technology and determine whether there was intent to induce referrals to the hospital. "Full compliance with the Safe Harbor protects the donor and recipient of EMR technology from liability under the Antikickback Statute," says Ms. Carnell.

The Stark Law exception and the Antikickback Safe Harbor are substantially similar. However, because Antikickback is intent based, failure to meet all of the requirements of the Safe Harbor does not necessarily constitute a violation of the Antikickback Statute. "If the arrangement does not meet all of the elements of the Safe Harbor, and there is intent by the hospital to induce referrals though the EMR agreement, then the donor and recipient risk liability under the Antikickback Statute," says Ms. Carnell.

4. Breaches, theft and unauthorized access to protected health information. The Department of Health and Human Safety posts all data breaches affecting 500 or more individuals on a public website. Since Sept. 2009, there have been 380 incidents reported. The number of patients affected by health data breaches has been on the rise, with 5.4 million affected in 2010 compared to roughly 2.4 patients million affected in 2009. Theft was the most common cause of breaches affecting 500 or more individuals in 2010, the last year for which such data is available. Human error, loss of records and intentional unauthorized access to protected information were also general causes of breaches.

In 2011, Sacramento, Calif.-based Sutter Health was one system to experience a breach when a computer was stolen from its administrative offices and potentially exposed private information pertaining to more than four million patients. HHS and the Office for Civil Rights showed teeth in 2011 when they issued a civil money penalty of $4.3 million against Largo, Md.-based Cignet Health for a HIPAA violation. The fine, issued Feb. 22, was the first imposition of a CMP by the OCR for a HIPAA violation. A mere two days later, the agencies announced Massachusetts General Hospital in Boston had agreed to pay $1 million to settle potential HIPAA violations. A message was sent loud and clear to healthcare providers in those three days: OCR doesn't take HIPAA enforcement lightly.

"That was an interesting week," says Ms. Carnell. Prior to the HITECH Act [part of the American Recovery and Reinvestment Act of 2009], HIPAA was all bark and no bite. Enforcement efforts related to HIPAA were virtually non-existent. Now the government's ability and resources to pursue covered entities and their business associates is vastly enhanced," says Ms. Carnell. Economic factors come into play when it comes to this enforcement, as the administration has recognized HIPAA and HITECH violations as an ample avenue to recover funds and bring money back into a financially-addled government.

The most important steps hospitals can take to protect themselves in this environment of enforcement are thorough preparation and timely and appropriate response to HIPAA related incidents. For example, hospitals should have comprehensive HIPAA policies and procedures and the workforce should be appropriately trained to comply with such policies. Further, in the event of an impermissible use or disclosure of a patient’s protected health information, the hospital should analyze the facts and circumstances, determine whether the use or disclosure rises to the level of a breach, take remedial measures to minimize the likelihood of the event happening again, report the incident as required under the HIPAA breach rules, and ensure accurate documentation is retained related to the incident.

"If a hospital is investigated or audited, it wants to be able to show it has taken steps to appropriately respond and remedy the incident. Fines aren't generally imposed unless it's an egregious violation or the violator has not cooperated with the government," says Ms. Carnell. "When a hospital suffers an inadvertent disclosure of health information because of a human error and immediately responds and remedies the situation, we haven't seen many fines." In general, the OCR has expressed a stronger focus on voluntary compliance rather than sanctions, according to Ms. Carnell.

5. Practical tips for healthcare leaders. Given the relative novelty of the EMR, hospital leaders may need to devote more strategy to ensure physicians are well-informed about compliance and legal risks. This starts in the EMR training process, which is not always easy for physicians. Given their traditional modus operandi, hospitals may need to develop certain initiatives in EMR education to make sure employees don't risk legality out of ignorance.

"Physicians are trained to autonomously practice medicine in the care of their patients," says Alan Cudney, RN, an executive consultant with healthcare consulting firm Beacon Partners. "Sometimes physicians and other members of the clinical team don't like to admit it when they don't know things. Sometimes, when teaching them to use new clinical software application, you may have to do so in a private environment. One-on-one training, as well as personalized "at the elbow" user support may be more effective, since physicians may feel less intimidated admitting uncertainties about using the EMR. In these one-on-one settings, physicians can more comfortably think about and discuss impacts of the software on their workflow, including real-life examples of how legal concepts affect their day-to-day routine.

Mr. Cudney also recommends hospital leaders promote cooperation between the hospital's IT department and physicians. The IT department can isolate itself from EMR-users within the hospital and lose touch of the "customer" focus. In this context, physicians are not necessarily customers, but should be treated as so with an emphasis on convenience, user input, reliable support and comprehensive training. When the IT department provides these services, physicians will be more accepting to change and more likely to embrace the new technology, according to Mr. Cudney. At the same time, this focus on the end-user must be balanced with a change control process that reviews all user requests and input against the strategic plan for the EMR and its impact on patient care workflows. Without adequate change control, the IT department could over-accommodate to the point of implementing inconsistent content or conflicting enhancements. To this point, hospital management should consistently evaluate physician-IT relations to ensure balance and cooperation.